Conclusion
Please correct me if I'm wrong here.
Most of these vulnerabilities require ntpd's authentication scheme(s) to be configured, which are horribly fragile by themselves and practically never used outside self-hopping minefields.
That leaves the Xleave problem, although having multiple server associations might protect a little.
Well, auto-update should take care of most of our servers. Only the custom ntpd on a Raspberry Pi w/ GPS needs recompiling.